GMS-2020-761: Reverse Tabnabbing in quill

September 3, 2020 (updated September 28, 2021)

Versions of quill prior to 1.3.7 are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References

github.com/advisories/GHSA-588m-9qg5-35pq
github.com/quilljs/quill/issues/2438
github.com/quilljs/quill/pull/2674
www.npmjs.com/advisories/1039

Code Behaviors & Features

Detect and mitigate GMS-2020-761 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →